Hi, Have you heard about NAC and HIPS?
http://en.wikipedia.org/wiki/Network_Access_Control http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system Those tools will see what you do. And if the Firewalls and IPS and HIPS and NAC cooperate with a SIM/SIEM* than you 'have to run'! :-) My example from the future: 1. The switch realise a new port activated -> sign it to SIM 2. The NAC realise your scan (or any unusual things) from the newly opened port -> sign it to SIM 3. The HIPS on host realises the scan (or any unusual things) as well -> sign it to SIM and to the Firewall 4. Firewall reacts and denies any traffic that goes through with your IP -> you may sign it 5. In the NOC** the SIM GUI is opened on a monitor and on the left corner of this monitor a camera display - from the room where the port is patched - appears 6. The camera sees you, the security guard get a phone call from NOC 7. I wake up from my sweet dreams :-) *SIM: http://en.wikipedia.org/wiki/Computer_security_incident_management **NOC: http://en.wikipedia.org/wiki/Network_operations_center Cheers, Akos -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von [email protected] Gesendet: Mittwoch, 10. Juni 2009 17:25 An: [email protected] Betreff: An insider attack scenario Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right? So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected. Does this sound plausible? And what current IDS/IPS technologies can be used to against this? Thanks
